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Proposal for ne Computer Security Project 
1. Proposed Contractual Agreement 


-. performance of work tn support of this project sudject to the written consent 
of the Contracting Officer end other applicable regulations. 


2 * Se a5. Statement of Objectives 


The Project Aes be responsible for 
achieving ‘the Project Objectives assuming the level of 1c le cia ang 
support described in Section Ill below. id 


The aenerat scope of “computer" eyetuns/netwarks and activities which may 


- be covered by the recommendations and actions resulting from this project 
peneeee ‘to agreement between the DEI and SECDEF ise 


wee ATI eysteas deseeteted-withcdlassitied intelleence ae 
. Information and with other core esas of Defense. 
information. 


yee Data security but not "COMSEC per se," TEMPEST, nor 
i personnel and physical security for included: systems. 


Esntrerice conputer systems /networks wilt be ‘included to the extent a fall . 


within the projec, 5 Scope. af we . oe 


The Project Objectives cuntch wilt serve as individual task statements) 
ares - 


1. A contineing current Gage WINERIES included 
“systems and activities sufficiently identified that the sources of 
threats and the associated risks can be cited and mexsured. There will 
he two such estimates made: the first will be more general for wide- 
audience use, while the second will be more specific designed for 
detailed discussion by a selected smail IC audience, 


“2. An An’ Assessment of*Security. Mezsures and Processes? now in place 
within the intelligence Comnunity. This assessment nt will be 
specifically oriented towards the systems, networks, and activities 
included in the proposed project scope and will acknowledge the 
following assertions or problems: 
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reise *e “Intel tigence” ‘Comaunity stents “or entities “have or will” have 
LIF “the responsibility for measuring and accrediting the security of ~ 
oe, -  -individual computer’ systems, networks. and activities included in 


Wise) = project. coverage.:; 


W"> e The increase in computer utilization has resulted in a larce 
number of computer Systems, etc., whose security is not fully know 
i nor tested to approved joint DoD/DCI criteria. 


e Security requirements of computer systems, etc., which are 
the responsibility of the Intelligence Comnunity are presumed to he 
more demanding and more complex (e.g., compartmentation 
requirements) than those of the remainder of the USG and the 

: . private sector. Hence, a “buy" by the IC of commercial or other | 
- - «USG praducts (services) will proteniy not een meet Te saan 
- Security requirements. . 
: ee A sable. assessment can be made on the basis of a 
statistically significant set of examples and does not require ao 
prev tedse of. al included computer systems, etc. 


® There has ore a recognized Jack of resources applied to . 
“computer security; hence, the proposed assessment wil] serve to 
RAShitgne known or Peeeetved deficiencies. 


“ee "K Review aad’petinestion of "fastones Dinputer ‘Security 


ce fomM (Responsibilities relevant to the activities sithin the scope of the = = 


provect.s Ss s,attention.” The. pressure | ha ided pidectivn (eetyartees 


. @ A ten-year ‘patchwork quilt of direct tives, Orcuntzationsl: ee a 

charters, and traditional individual egency actions which results 

4n confusion on the part of users, "budget makers" and dnvolved 
:. managers and which has hindered Progress fonares ees iad 

SORPLCE CECUnIEYs | : 


@ The Taroe manber! ‘of well- intentioned highly motivated 
organizational entities with “assignad” responsibilities but 
without accompanying resources. ; 


e The need to know the existing eee of Seoneseatiee and 
assignments upon which a well-structured, understandable, and 
effective IC Computer Security policy and ‘process can be built. 


ALA A Computer. ‘Security: Technology. Needs — “and Assessment ieee ‘toy 


identify neer needed RED projects and to identify where technology transfer 
can adéquately serve the Intelligence Comnunity. Computer security is 
an immature technology, and consequently there has been to date an 
inadequate compilation of IC technology requirements upon which focused 
*cized" R&D efforts can be. funded. The present situation is typified 
by small, sometimes redundant’ projects which are unable to resolve the 


more critical high priority problems. 
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eee This.objective (task) will rely heavily on work already done by} 
"and information. ‘available. from, CIA, DIA, NSA, OSD and the Military ~~ 
“Departments/Services. Also, there are private sector and other USG 


- organizations (e.9., NBS} which have excellent competencies and 
technical information avaflable to the IC. 


| EST An: ‘I Action Plan for Carrying Out Its Comp 
(Responsibilities. This Action Plan will include: 


uter Security 


Z Af @ Hechanisins for maintaining current estimates of relevant 
fh vulnerabilities and threats. 


@ Proposed organizational assignments of responsibilities 
within the IC, DoD and, as ‘appropriate, other USG agencies. 


ef A proposed wechanisis for computer security assessment, 
“certification and accreditation. 


A priority ordering of eapiker systems, networks and 
“activities which should be addressed as to their computer Pocus 
re cae eR proposed. coordinated computer security R&D program with a” 

m8 ~-. . propased continuing coordinating mechanism for a SUPPOTELYE R&D 
program/budget process. : 


e -A policy: framework for the. eckipvictment and maiitendnde of 

+ appropriate:guidelines and- wesur einen including DeID ane and 
'- other instruments..-- Si, eee axe ah dew . 
@ Awmechanism for a continuing on-going relationship with the - 
R&D Community to facilitate comaunication and technology transfer. 


. 6. A Draft Hemorandum of Understanding (MOU) Between the DCI and 
| SECOEF ‘to canis iC and DoD computer security-related activities. 


“TIT, | Government-Furnished Support 


‘The Director BF the IC Staff will assign or meee available the baited 
of 2.5 1€ Staff professional man years. Blong with necessary cleared clerical _ 
help. <In: Addition the Director: wilt, arrange,2S; she believes® necessary, for 

Sappropriate.. artici pation by: ‘the Defense intelli sence Agency (DIA) the 
7 Ce tral. Intelligence ‘Agency. (CIA), the National Security Agency (NSA), Bod 
{c7l & P), the Military Departments and Services, and others. . 


Participation by non-Government consultants will be required. These 
consultants will provide written reports essential and contributory to the 
project end will participate in workshops and meetings as appropriate. To 
assure proper access and security controls, the IC Staff will directly fund 
for consultant participation. It is expected that one-half professional year 
equivalent of consultant Support will be funded in this manner, 
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IV. Task Schedule 


The following task schedule is proposed with all dates on an After 
Receipt of Order {ARG) base. 


: o 7 wask A “A Continuing Estimate. ‘Of Vulnerabilities 
Laas ee. 690 days ARQSStS~S - 


This task will be performed primarily by IC analytic grou 
and is therefore not under the control of the Project 
Director. Nevertheless, the Project Director will support i¢ 
the best of his/her ability and will structure work on the 
remaining tasks to be as independent of the aa date ar 
quality of this task as possible. 


conrad 2: Assessment of ‘Security ‘Measures "and Procedures: Bae 
a eee 48 days RO . 


t. 
i 


Py Task 3: Review and Delineation of actees Computer ecuate: 
BS ce Res onsibilities ‘ 
coe 250 days ARO has 2 ms ; 


wash" Ra <i tomputer- Security Technoloa¥ ti Security Technolodi Seeds SRE RSReSRE Si 
Se ieee 220 days ARO" j 


@ Task 5: An IC Action Plan for carrying Out Its penree Security 
esponsibilities 
I. 360 days ARO 
® Task 6: A Draft MOU Between the DC] and SECDEF — 
First draft c.caccecwcencee 180 days ARO 
Final draft wecenecccrecce | 360 days ARO 


The task schedule assumes access to materials, documents and personnel 
agreed upon as being essential to task completion. The task schedule also 
assumes Support by the IC att for eae a aes aus as eetng essential 
to task TT etion. 


apt 


ae Revorting | Reavirements 


1.. Written status reports covering progress ‘to date, problems 
encountered, and the expenditure of funds will be Provided on a bimonthly 
_ basis in the format prescribed by the COTR. 


2.° Reports will be provided upon completion of each eck: 


3. Oral briefings will be made by the PTeaechss Dineetay upon request of 
the COTR at dates mutually agreed upon. 


7 A : 
4. The IC Steff will produce the required numbers of copies of the 
Reports submitted for distribution as it determines necessary. 


> 
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ae : 
By Any changes to the proposed schedule will be requested by the Project 
Director at Teast ten working days ahead of the scheduled date for approval by 
the cOTR or the Contracting Officer a5 approprizte. erik 


VI. Compensation and Method of Payment 


ot 
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ROUTING AND TRANSMITTAL SLIP 


TO: ‘Name, office symbol, room number, 
uilding, Agency/Post) 


1. C/os/TSsa 


ss . 
2 a 2 [ee BOP Tn pee 
Approval | [For Glearance | Per Conversation ~~ 


| | Prepare Reply 
| |For Your information | [See Me i 
: investigate | Signature = 
Coordination | | justify TT _ 


REMARKS Jim, - / 
Attached are two drafts to replace 
~- One was done by OSD/DOD and the other by NSA. 
The answers to the questions we talked about are: 
‘ae Why? The IG/CM organizational study 
said all PD's should be reviewed, In addition, 
T understand that this was on Col. Wayne Kay's 


oT tHe plate for a long time before he left and 


in fact’ had a draft to President Carter before 
the latter left lthe White House. . Old business. F 
be Who directed? Partially explained above 
but the NCSC and COG (or all users of[ _] believe 
it needs rehashing, 2 
C. Next step? Wayne has another meeting 
scheduled for next Monday. The group plans to 
continue to massage this issue until x* they 
‘believe it is ready for review by all interested 


DO. NOT use this form as a RECORD of approvals, c 5 
. clearances, and similar actions paaepnaiars, pabonels( tiles) 


FROM: (Name, org. symbol, Agency/Post) 


Room No.—Bldg. 


C /0C~CSD Phone No. 


041-102 
OPTION — 
pesos NAL FORM 41 (Rev. 7 76) 
* GPO : 1981 0 ~ 341-529 (120) FPMR (41 CFR) 101-11.206 
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